skill-advisor
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the npx skills CLI tool to perform search and installation operations. It also utilizes standard shell commands like ls, rm, and find for verifying and cleaning up local skill directories across multiple agent environments, including Claude Code, Gemini CLI, and OpenCode.
- [EXTERNAL_DOWNLOADS]: Fetches and installs external skill packages from remote repositories via the npx skills add command. The skill specifically references documentation and source code from the Vercel Labs GitHub organization, which is a trusted source.
- [PROMPT_INJECTION]: The skill instructions direct the agent to read and evaluate the contents of external SKILL.md files from remote repositories. This creates a surface for indirect prompt injection where untrusted external content could influence agent behavior during the evaluation phase.
Audit Metadata